JP2008227805A - Router device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a router device for improving safety in data communication between file servers and optimizing traffic. <P>SOLUTION: A VPN router 12A includes an HDD 27. When data of the HDD 27 are updated, a CPU 26 transmits the data to the Internet 50 via an encryption-decryption module 28 and a QoS module 29. The data are safely transmitted by the function of the VPN, and transmitted when the communication traffic is not congested by the QoS module 29. Thus, the access of a client 11 is not interrupted. Besides, the request of the client 11 is transferred to another router via the VPN when the HDD 27 fails, so that access to the HDD 27 by a third person can be excluded. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a router device that optimizes communication traffic and improves the safety of data communication.

  2. Description of the Related Art Conventionally, network systems that store data in a file server with a built-in storage unit have been operated in companies and the like. A hard disk is used for the storage unit of the file server because of the storage capacity and cost. However, hard disks have a high failure rate and often hinder network system operations. Therefore, a plurality of file servers are installed and replication is performed to synchronize data between the file servers (see, for example, Patent Document 1).

  Conventional replication will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of a network system when replication is performed. In the figure, a file server 1A, a client 2, and a router 3A are installed at a point A, and a file server 1B and a router 3B are installed at a point B. The file server 1A, client 2, and router 3A are connected via a LAN 4A. The file server 1B and the router 3B are connected via a LAN 4B. The router 3A and the router 3B are connected via the Internet 50.

  The client 2 stores data in the file server 1A. Also, a request for reading stored data from the file server 1A is made. When new data is stored in the file server 1A, the new data is transmitted from the file server 1A to the file server 1B, and synchronous communication is performed.

Further, when the hard disk built in the file server 1A fails, when the client 2 makes a request to read data, the request is transferred to the file server 1B. Therefore, the client 2 can read the target data even when the hard disk of the file server 1A is out of order.
Japanese Patent No. 3213766

  However, when performing the above replication, the following problems have occurred.

  (1) Since file servers are connected via the Internet, which is a public communication network, there is a risk of eavesdropping.

  (2) Since synchronous communication of data is performed between file servers, the communication traffic is affected, and the communication speed of the client may decrease.

  (3) When a client request is transferred, the file server on the receiving side cannot distinguish whether it is a request from a legitimate client or a request from another person (attacker), and it is safe. There was a problem with sex.

  Accordingly, an object of the present invention is to provide a router device capable of improving the safety of data communication between file servers and optimizing traffic.

  The router device of the present invention includes an external interface connected to the Internet, an internal interface connected to a local area network, a storage unit for storing data, and encrypting or decrypting input data. An encryption / decryption unit for adding or extracting identification information for identifying the transmission source of the communication, a communication control unit connected to the external side interface for controlling the priority order of data transmission / reception, the internal side interface, or the external side A control unit that transmits predetermined data to the internal interface or the external interface based on data input from the interface, the control unit being stored in the storage unit When updated data is updated, the updated data is encrypted by the encryption / decryption unit. The identification information is added and transmitted to the external interface via the communication control unit, and when data is received from the external interface, the data is decrypted by the encryption / decryption unit, and a predetermined transmission is performed. When the original identification information cannot be extracted, the original identification information is discarded, and the communication control unit preferentially transmits / receives data of the client device of the local area network connected via the internal interface. It is characterized by doing.

  In this configuration, a control unit for realizing a file server function in a router device having a network interface connected to the Internet and a network interface connected to a local area network and having a VPN (Virtual Private Network) function. And a storage unit. When the data in the storage unit is updated, the data is transmitted to another file server using the VPN function. As a result, replication is performed safely. Further, since the communication control unit gives priority to the communication of the client on the local area network side, the communication traffic is not affected by the replication. In addition, since data received from the Internet side is discarded unless it is data from a legitimate client, requests (ie attacks) from other clients on the Internet can be eliminated.

  In addition, according to the present invention, the control unit further reads request data for reading data stored in the storage unit from the internal interface or the external interface, or request data for writing data to the storage unit Is received, and when the storage unit is determined to be faulty, the received request data is encrypted by the encryption / decryption unit, and the identification information is added to the request data. It transmits to an external side interface via a communication control part, It is characterized by the above-mentioned.

  In this configuration, when a failure occurs in the storage unit of the own device, the client request data is transferred to another device. This request data is also transferred securely using the VPN function.

  According to the present invention, the safety of data communication between file servers is improved by realizing a file server function in a router device having a plurality of interfaces and a VPN function.

  In addition, communication traffic can be optimized by giving priority to client communication.

  Also, attack access from the Internet side is excluded in order to exclude access from non-regular clients.

  Hereinafter, a network system according to an embodiment of the present invention will be described with reference to the drawings. FIG. 2 is a block diagram showing the configuration of the network system. FIG. 3 is a block diagram showing the configuration of the router device. This router device is a router device having a VPN function, and further has a built-in hard disk as a large-capacity storage unit and also functions as a file server.

  In FIG. 2, a client 11 and a VPN router 12A are installed at a point A, and a VPN router 12B is installed at a point B. The client 11 and the VPN router 12A are connected via a LAN 14A. The VPN router 12B is connected to another device (not shown) via the LAN 14B. The VPN router 12A and the VPN router 12B are connected via the Internet 50.

  The VPN router 12A and the VPN router 12B have the same configuration and functions, and FIG. 3 shows the configuration of the VPN router 12A as a representative.

  In FIG. 3, the VPN router 12A includes a network interface (network I / F) 21, a network I / F 22, a bus 23, a RAM 24, a ROM 25, a CPU 26, a hard disk (HDD) 27, an encryption / decryption module 28, and a QoS module 29. I have.

  The network I / F 21, RAM 24, ROM 25, CPU 26, HDD 27, encryption / decryption module 28, and QoS module 29 are connected via a bus 23. The QoS module 29 is directly connected to the network I / F 22 and the encryption / decryption module 28.

  The network I / F 21 is an interface that is connected to the LAN 14A and performs data transmission / reception between the LAN 14A and the VPN router 12A. The network I / F 22 is an interface that is connected to the Internet 50 and performs data transmission / reception between the Internet 50 and the VPN router 12A.

  The RAM 24 is a work memory, and an operation program for the CPU 26 is developed. The ROM 25 includes a flash memory, an EEPROM, and the like, and stores a program for operating the VPN router 12A. The CPU 26 performs various operations by reading the operation program from the ROM 25 and developing it in the RAM 24.

  The HDD 27 is a large-capacity storage unit, and stores various data in response to requests from clients. The CPU 26 transmits and receives data between the HDD 27 and the interface 21 or between the HDD 27 and the interface 22 in response to a request from the client. Thereby, the VPN router 12A functions as a file server. A function as a normal router (packet transfer) and a function as a file server are distinguished by an IP address and a port number included in a request from a client.

  The HDD 27 may be built in the router device as shown in FIG. In the case of a conventional router device having an external interface (for example, USB), an external HDD is connected, and the operation program stored in the ROM of the router device is changed to be the same as the router device of this embodiment. Configuration and function can be realized.

  The encryption / decryption module 28 encrypts the data input from the bus 23, adds header information indicating the addresses of the transmission source and the transmission destination, and transmits the data to the network I / F 22 via the QoS module 29. Also, the encrypted data input from the network I / F 22 is decrypted via the QoS module 29. The data is packetized and transmitted / received. Any communication protocol, encryption method, and decryption method may be used. For example, PPTP or IPsec protocol is used.

  The QoS module 29 controls the data communication speed and priority according to the setting of the CPU 26. For example, if there is an access from the client 11 to the WWW server, a bandwidth for this access (data transmission) is secured, and the data of the client 11 is preferentially transmitted. This QoS module 29 corresponds to the communication control unit of the present invention.

  The CPU 26 performs various processes based on a request from the client 11 input from the LAN 14A or packet data input from the Internet 50. When access to the WWW server is input from the client 11 via the network I / F 21, this data is transmitted from the bus 23 to the network I / F 22 via the QoS module 29. When there is a request from the client 11 to access the data in the HDD 27 via the network I / F 21, the predetermined data stored in the HDD 27 is read and transmitted to the client 11. When there is a request for writing data from the client 11 to the HDD 27 via the network I / F 21, the request content data is written to the HDD 27.

  When the CPU 26 writes data to the HDD 27 and the data stored in the HDD 27 is updated, the CPU 26 performs synchronization processing (replication) with the HDD 27 built in the VPN router 12B. In the synchronization process, the CPU 26 reads the update data from the HDD 27 and inputs it to the encryption / decryption module 28. The update data is converted into packet data conforming to the PPTP or IPsec protocol by the encryption / decryption module 28 and transmitted to the VPN router 12B via the QoS module 29, the network I / F 22, and the Internet 50. Since the update data is encrypted and transmitted / received by VPN, the risk of eavesdropping is extremely low. Thereby, replication can be performed safely.

  The synchronization process and the access from the client 11 to the WWW server may be performed at the same time. However, the QoS module 29 reserves a band for the data transmitted by the client 11, and the client 11 Since access is preferentially processed, the synchronization processing does not affect the traffic of communication.

  Further, the CPU 26 determines the failure state of the HDD 27 when there is a request for accessing data in the HDD 27 from the client 11 or a request for writing data in the HDD 27. That is, it is determined whether or not the HDD 27 is physically unable to read and write data. When the HDD 27 has failed, the CPU 26 transfers the request from the client 11 to the VPN router 12B that is another file server. The transfer of this request is also encrypted by VPN. The CPU 26 inputs a request from the client 11 to the encryption / decryption module 28. The request from the client 11 is converted into packet data conforming to the PPTP or IPsec protocol by the encryption / decryption module 28 and transmitted to the VPN router 12B via the QoS module 29, the network I / F 22, and the Internet 50. The request is decrypted by the encryption / decryption module 28 of the VPN router 12B, and predetermined data is read from the HDD 27 or predetermined data is written to the HDD 27. Here, the CPU 26 receives data other than legitimate packet data, for example, data that has not been transmitted by PPTP or IPsec protocol, data whose transmission source is unknown (not a specified IP address), etc. Discard this. Thus, requests (ie attacks) from other clients on the Internet can be eliminated.

  Hereinafter, the operation of the CPU 26 will be described in detail. FIG. 4 is a flowchart showing the operation of the CPU 26 when data (packet) is input to the network I / F 21 or the network I / F 22. First, the CPU 26 determines whether the I / F to which data is input is the LAN side (network I / F 21) or the Internet side (network I / F 22) (s11). If the CPU 26 determines that the input is from the LAN side, it determines whether or not the file server access is made (s11 → s12). File server access refers to a request to access data in the HDD 27 or a request to write data to the HDD 27. If it is not file server access, data is transmitted to the Internet 50 via the QoS module 29 and the network I / F 22 (s13), and the operation is terminated. At this time, the communication speed and priority may be set in the QoS module 29. The QoS module 29 gives priority to client access when a plurality of data is input simultaneously.

  On the other hand, if the CPU 26 determines in s12 that it is file server access, it first determines whether or not the HDD 27 has a failure (s12 → s14). If there is no failure in the HDD 27, the corresponding process is performed (s15). For example, if the request is to access data in the HDD 27, the corresponding data is read from the HDD 27 and transmitted to the client 11.

  When there is a failure in the HDD 27, the CPU 26 performs a transfer process (s16). In the transfer process, the file server access is encrypted by the encryption / decryption module 28 and transmitted to another VPN router (VPN router 12B) via the QoS module 29 and the network I / F 22.

  In s11, if the CPU 26 determines that the input is from the Internet side, it determines whether or not it is file server access (s11 → s17). Here, the file server access received from the Internet side may be a client request transferred from another VPN router, a request from another client on the Internet, or the like. If it is not file server access, the CPU 26 performs a corresponding process (s17 → s18). For example, in the case of reply data to a client request transmitted from a WWW server on the Internet, this is transmitted to the client.

  If the CPU 26 determines that the access is file server access, it determines whether or not this is regular packet data (s17 → s19). If it is not regular packet data, this data is discarded (s20). Packet data that cannot be decoded by the QoS module 29 is also discarded. This prevents other people from inadvertently accessing the file server via the Internet.

  If the CPU 26 determines that the packet data is legitimate in s19, the CPU 26 determines the failure of the HDD in s14 (s19 → s14). If there is no failure in the HDD 27, the corresponding process is performed. If there is a failure in the HDD 27, a transfer process is performed. As a result, if the HDD functions normally, predetermined data is read from the HDD 27 or predetermined data is written to the HDD 27. If the HDD is not functioning properly, the client request is further transferred to another VPN router.

  Next, FIG. 5 is a flowchart showing the operation of the CPU 26 when the data in the HDD 27 is updated. This operation is performed in parallel with the operation shown in FIG. When the data in the HDD 27 is updated, the CPU 26 reads the corresponding data from the HDD 27 (s31). Thereafter, the CPU 26 inputs the read data to the encryption / decryption module 28, encrypts it, and converts it into predetermined packet data. Also, the packet data is transmitted via the QoS module 29 when there is a vacant communication traffic (s32).

  As described above, in the network system according to the present embodiment, the VPN router is provided with the file server function, so that replication is executed safely by the VPN function. The QoS module 29 gives priority to client access, and synchronous communication at the time of replication is performed when communication traffic is idle, so that replication can be executed without hindering client access. Furthermore, since the client request is transferred by the VPN function when the HDD 27 fails, access from others on the Internet can be excluded.

It is the figure which showed an example of the network system in the case of performing replication. It is a block diagram which shows the structure of the network system which concerns on embodiment of this invention. It is a block diagram which shows the structure of a VPN router. It is a flowchart which shows operation | movement of CPU26 when data are input into an interface. 6 is a flowchart showing the operation of the CPU 26 when data in the HDD 27 is updated.

Explanation of symbols

11-Client 12A, 12B-VPN router 14A, 14B-LAN
50-Internet

Claims (2)

An external interface connected to the Internet;
An internal interface connected to the local area network;
A storage unit for storing data;
An encryption / decryption unit that encrypts or decrypts input data and adds or extracts identification information for identifying the transmission source of the data;
A communication control unit that is connected to the external interface and controls the priority of data transmission and reception;
A control unit that transmits predetermined data to the internal interface or the external interface based on data input from the internal interface or the external interface,
When the data stored in the storage unit is updated, the control unit encrypts the updated data with the encryption / decryption unit, adds the identification information, and passes through the communication control unit. Send to the external interface,
When data is received from the external interface, the data is decrypted by the encryption / decryption unit, and when the identification information of a predetermined transmission source cannot be extracted, the data is discarded.
The communication control unit preferentially transmits / receives data of a client device of a local area network connected via the internal interface. When the control unit receives, from the internal interface or the external interface, request data for reading data stored in the storage unit or request data for writing data to the storage unit, the storage unit Determine the failure status of
2. When it is determined that there is a failure in the storage unit, the received request data is encrypted by the encryption / decryption unit, added with the identification information, and transmitted to the external interface via the communication control unit. The router device described in 1.

Images